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Abstract. We consider the scenario where Alice wants to send a se- 
cret (classical) n-bit message to Bob using a classical key, and where 
only one-way transmission from Alice to Bob is possible. In this case, 
quantum communication cannot help to obtain perfect secrecy with key 
length smaller then n. We study the question of whether there might 
still be fundamental differences between the case where quantum as op- 
posed to classical communication is used. In this direction, we show that 
there exist ciphers with perfect security producing quantum ciphertext 
where, even if an adversary knows the plaintext and applies an optimal 
measurement on the ciphertext, his Shannon uncertainty about the key 
used is almost maximal. This is in contrast to the classical case where 
the adversary always learns n bits of information on the key in a known 
plaintext attack. We also show that there is a limit to how different the 
classical and quantum cases can be: the most probable key, given match- 
ing plain- and ciphertexts, has the same probability in both the quantum 
and the classical cases. We suggest an application of our results in the 
case where only a short secret key is available and the message is much 
longer. Namely, one can use a pseudorandom generator to produce from 
the short key a stream of keys for a quantum cipher, using each of them 
to encrypt an n-bit block of the message. Our results suggest that an 
adversary with bounded resources in a known plaintext attack may po- 
tentially be in a much harder situation against quantum stream-ciphers 
than against any classical stream-cipher with the same parameters. 

1 Introduction 

In this paper, we consider the scenario where Alice wants to send a secret (clas- 
sical) n-bit message to Bob using an m-bit classical shared key, and where only 
one-way transmission from Alice to Bob is possible (or at least where interaction 
is only available with a prohibitively long delay). If interaction had been avail- 
able, we could have achieved (almost) perfect secrecy using standard quantum 
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key exchange, even ii m < n. But with only one-way communication, we need 
m > n even with quantum communication [1] . 

We study the question of whether there might stiU be some fundamental dif- 
ferences between the case where quantum as opposed to classical communication 
is used. In this direction, we present two examples of cryptosystems with perfect 
security producing n-bit quantum ciphcrtcxts, and with key length m = n + 1, 
respectively m = 2n. Wc show that given plaintext and ciphcrtext, and even 
when applying an optimal measurement to the ciphertext, the adversary can 
learn no more than n/2, respectively 1 bit of Shannon information on the key. 
This should be compared to the fact that for a classical cipher with perfect secu- 
rity, the adversary always learns n bits of information on the key. While proving 
these results, we develop a method which may be of independent interest, for 
estimating the maximal amount of Shannon information that a measurement 
can extract from a mixture. We note that the first example can be implemented 
without quantum memory, it only requires technology similar to what is needed 
for quantum key exchange, and is therefore within reach of current technology. 
The second example can be implemented with a circuit of 0{n^) gates out of 
which only 0(n^) are elementary quantum gates. 

We also discuss the composition of ciphers, i.e., what happens to the uncer- 
tainty of keys when the same quantum cipher is used to encrypt several blocks 
of data using independent keys. This requires some care, it is well known that 
cryptographic constructions do not always compose nicely in the quantum case. 
For composition of our ciphers, however, we shows that the adversary's uncer- 
tainty about the keys grows linearly with the number of blocks encrypted, and 
in some cases it can be shown to grow exactly as one would expect classically. 

On the other hand, we show that there is a limit to how different the quantum 
and classical cases can be. Namely, the most probable key (i.e. the min-entropy 
of the key), given matching plain- and ciphertexts, has the same probability in 
both cases. 

On the technical side, a main observation underlying our results on Shan- 
non key-uncertainty is that our method for estimating the optimal measurement 
w.r.t. Shannon entropy can be combined with known results on so called cn- 
tropic uncertainty relations [6,4,8] and mutually unbiased bases [9]. We note 
that somewhat related techniques are used in concurrent independent work by 
DiVincenzo et al. [3] to handle a different, non-cryptographic scenario. 

While we believe the above results are interesting, and perhaps even some- 
what surprising from an information theoretic point of view, they have limited 
practical significance if perfect security is the goal: a key must never be reused, 
and so we do not really have to care whether the adversary learns information 
about it when it is used. 

However, there is a different potential application of our results to the case 
where only a short secret key is available, and where no upper bound on the 
message length is known a priori. In such a case, only computational security 
is possible and the standard classical way to encrypt is to use a stream-cipher: 
using a pseudorandom generator, we expand the key into a long random looking 



keystream, which is then combined with the plaintext to form the ciphertext. 
The simplest way of doing such a combination is to take the bit-wise XOR of key 
and plaintext streams. In a known plaintext attack, an adversary will then be 
able to learn full information on a part of the keystream and can try to analyze 
it to find the key or guess other parts of the keystream better than at random. 
In general, any cipher with perfect secrecy, n-bit plain- and ciphertext and m- 
bit keys can be used: we simply take the next m bits from the keystream and 
use these as key in the cipher to encrypt the next n bits of the plaintext. It is 
easy to sec that for any classical cipher, if the adversary knows some n-bit block 
of plaintext and also the matching ciphertext, then he learns n bit of Shannon 
information on the keystream. 

If instead we use quantum communication and one of our quantum ciphers 
mentioned above, intuition suggests that an adversary with limited resources is 
in a more difficult situation when doing a known plaintext attack: if measuring 
the state representing the ciphertext only reveals a small amount of information 
on the corresponding part of the keystream, then the adversary will need much 
more known plaintext than in the classical case before being able to cryptanalyze 
the keystream. 

Care has to be taken in making this statement more precise: our results on 
key uncertainty tell us what happens when keys are random, whereas in this 
application they are pseudorandom. It is conceivable that the adversary could 
design a measurement revealing more information by exploiting the fact that the 
keystream is not truly random. This, however, is equivalent to cryptanalyzing 
the generator using a quantum computation, and is likely to be technologically 
much harder than implementing the quantum ciphers. In particular, unless the 
generator is very poorly designed, it will require keeping a coherent state much 
larger than what is required for encryption and decryption - simply because one 
will need to involve many bits from the keystream simultaneously in order to dis- 
tinguish it efficiently from random. Thus, an adversary limited to measurements 
involving only a small number of qubits will simply have to make many such 
measurements, hoping to gather enough classical information on the keystream 
to cryptanalyze it. Our results apply to this situation: first, since the adversary 
makes many measurements, we should worry about what he learns on average, 
so Shannon information is the appropriate measure. Second, even though the 
keystream is only pseudorandom, it may be genuinely random when considering 
only a small part of it (see Maurer and Massey [5] ) . 

In Sect. 9, we prove a lower bound on the amount of known plaintext the 
adversary would need in order to obtain a given amount of information on the 
keystream, for a particular type of keystream generator and assuming the size 
of coherent states the adversary can handle is limited. We believe that quantum 
communication helps even for more general adversaries and generators. However, 
quantifying this advantage is an open problem. We stress that our main goal here 
is merely to point out the potential for improved security against a bounded 
adversary. 



2 Preliminaries 



We assume the reader is familiar with the standard notions of Shannon entropy 
H(-) of a probabihty distribution, conditional entropy, etc. A related notion 
that also measures "how uniform" a distribution is, is the so called min- entropy. 
Given a probability distribution {pi, ...,p„}, the min-entropy is defined as 

HooiPl, ■■■,Pn) = -l0g2(max{pi, ■■■,Pn}) (1) 

As usual, Hoo{X) for random variable X is the min-entropy of its distribution. 
Min-entropy is directly related to the "best guess" probability: if we want to guess 
which value random variable X will take, the best strategy is to guess at a value 
with maximal probability, and then we will be correct with probability 2~^=°^^\ 
Given the value of another random variable Y, we can define HaciX\Y = y) sim- 
ply as the min-entropy of the distribution of X given that Y = y, and similarly 
to Shannon entropy, we can define Hoa{X\Y) ~ J^y Pr{Y = y) ■ Hoo{X\Y = y). 

The min-entropy can be thought of as a worst-case measure, which is more 
relevant when you have access to only one sample of some random experiment, 
whereas Shannon entropy measures what happens on average over several ex- 
periments. To illustrate the difference, consider the two distributions (1/2, 1/2) 
and (1/2,1/4,1/4). They both have min-entropy 1, even though it intuitively 
seems there should be more uncertainty in the second case, indeed the Shannon 
entropies are 1 and 1.5. In fact, we always have H{X) > Hoo{X), with equality 
if X is uniformly distributed. 



3 Classical Ciphers 

Consider a classical cryptosystem with n-bit plain and ciphertexts, m-bit keys 
and perfect secrecy (assuming, of course, that keys are used only once). We 
identify the cryptosystem with its encryption function E{-,-). We call this an 
(m, n)-cipher for short. 

Definition 1. Consider an {m, n)- cipher E . We define the Shannon key-uncer- 
tainty of E to be the amount of Shannon entropy that remains on an m-bit key 
given n-bit blocks of plain- and ciphertexts, i.e. H{K\P,C), where K,P,C are 
random variables corresponding to the random choices of key, plaintext and ci- 
phertext blocks for E, and where the key is uniformly chosen. The min-entropy 
key- uncertainty of E is defined similarly, but w.r.t. min-entropy, as Hoo{K\P, C). 

From the definition, it may seem that the key uncertainties depend on the dis- 
tribution of the plaintext. Fortunately, this is not the case. The key-uncertainty 
in the classical case is easy to compute, using the following slight generalization 
of the classical perfect security result by Shannon: 

Proposition 1. Let E be a cipher with perfect security, and with plaintext, 
ciphertext and keyspace V,C,IC, where {Vl = \C\. Furthermore, assume that keys 



are chosen uniformly. For any such cipher, it holds that the distribution of the 
key, given any pair of matching ciphertext and plaintext is uniform over a set of 
\JC\/\V\ keys. 

Proof. By perfect security, we must have |/C| > \V\. Now, let us represent the 
cipher in a table as follows: we index rows by keys and columns by plaintexts, 
and wc fill each entry in the table with the ciphertext resulting from the key 
and plaintext on the relevant row and column. Then, since correct decryption 
must be possible and \V\ = |C|, each ciphertext appears exactly once in each 
row. Fix any ciphertext c, and let tc be the number of times c appears in, say, 
the first column. Since the probability distribution of the ciphertext must be the 
same no matter the plaintext, c must appear tc times in every column. Since 
it also appears in every row, it follows that the length of a column satisfies 
|/C| = tc\V\. So tc = \IC\/\V\ is the same for every c. If we know a matching 
plaintext/ciphertext pair, we are given some c and a column, and all we know is 
that the key corresponds to one of the tc possible rows. The proposition follows. 

□ 

Corollary 1. For any classical {m^n)- cipher, both the Shannon- and min-en- 
tropy key-uncertainty is m ^ n bits. 

This result shows that there is no room for improvement in classical schemes: 
the natural constraints on (to, n)-ciphers imply that the key-uncertainty is always 
the same, once we fix to and n. As wc shall sec, this is not true for quantum 
ciphers. Although they cannot do better in terms of min-entropy key uncertainty, 
they can when it comes to Shannon key-uncertainty. 

4 Quantum Ciphers and Min-Entropy Key-Uncertainty 

In this section, we consider quantum ciphers which encrypt classical messages 
using classical keys and produce quantum ciphers. 

We model both the encryption and decryption processes by unitary opera- 
tions on the plaintext possibly together with an ancilla. This is the same model 
as used in [1], with the restriction that we only encrypt classical messages. 

Definition 2 ((m, n)-quantum cipher). A general (m, n)-quantum cipher is 
a tuple {V,£), such that 

— V Q TL is a finite set of orthonormal pure-states (plaintexts) in the Hilbert 
space n, and \\V\\ ^ N and N ^ 2". 

— 5 = {Efc:7i— !-?i|fc=l,..., M} is a set of unitary operators (encryptions), 
and M = 2™ . Decryption using key k is performed using . 

And the following properties hold: 

— Key hiding: (Vfc, k' e {1, . . . , M}), 

^ lE,|a)|0)(0|(a|Et = ^ lE,,|a>|0>(0|(a|Et,. (2) 



— Data hiding: (V|a), \b) e V), 



^ -E,|a)|0)(0|(a|Et = ^ -E,|6)|0)(0|(fe|Et . (3) 

fe=l k=l 

The key and data hiding properties guarantee that an adversary cannot gain 
any information about the key and message respectively when an arbitrary ci- 
phertext is seen. In [1], it was shown that data hiding imphes that m> n. 

The key hiding property states that an adversary with no information on the 
message encrypted expects to see the same ensemble no matter what key was 
used. We denote this ensemble 

p=^lE,|a)|0)(0|(a|Et, (4) 

aev 

for any fc S {1, 2, . . . , M}. As motivation for the key-hiding property, we mention 
that it is always satisfied if ciphertexts are as short as possible {dim{'H) = 2"). 
On the other hand, if the key-hiding property does not hold then the cipher- 
state on its own reveals information about the secret-key. This is certainly an 
unnecessary weakness that one should avoid when designing ciphers. 

The data hiding property states that the adversary expects to see the same 
ensemble no matter what message was encrypted. We denote this ensemble 



'^ = E]^Efe|a)|0)(0|(a|E^, (5) 

fe=i 

for any a Cz V. We first prove that p ^ a. 
Lemma 1. p = a. 
Proof. Define the state 

M 

^ MN' 



M 

^ = EET71^E,|a)|0)(0|(a|Et. (6) 



k=l aev 

Observe that 

M 1 

^ = E E ]g]^E.|a)|0)(0|(a|Et ^Y^mP^P- (7) 

k=l aev k=l 

Similarly, when switching the sums in (6), we get £, = <J- We conclude that p = a. 

□ 

We are now ready to prove that for any (to, n)-quantum cipher there exists 
a measurement that returns the secret key with probability 2"~™ given any 
plaintext and its associated cipher-state. In other words and similarly to the 
classical case, the min-entropy key-uncertainty of any (m, n)-quantum cipher is 
at most TO — n. 



Theorem 1 (Min-entropy key uncertainty). Let {V, £) he an (m, n)-quantum 
cipher, encoding the set V . Then 

(Va e V){3 POVM {Mjfii)(Vfc G {1, . . . , M})MMk£k{\a){a\)) = 2"-"]. (8) 

Proof. Let \a) £ 7^ be given. Consider the set = {Ah = ^Efc|a)|0)(0|(a|Ej^ | k = 
1, . . . , M}. Lemma 1 gives 

M A/ 

E ^'^ = E ^Efe|a)|0)(0|(a|Et = Na = Np. (9) 

fe=l /c=l 

Since the plaintexts are orthogonal quantum states, and since unitary op- 
erators preserve angles, we have that N^^^^ j^Ek\a)\Q){Q\{a\E\. is the eigen 
decomposition of N and that 1 is the only eigenvalue. Therefore there exists a 
positive operator P such that N p + P = I. and thus 

M 



^Mk + P = Np + P = I, (10) 



fc=i 

and M U {P} (and therefore also M) is a valid POVM. 

The probability of identifying the key with the measurement M is 

tr(A4Efe|a)|0)(0|(a|E^) - tr(-E,|a)|0)(0|(a|ETEfe|a)|0)(0|(a|E^) 

= ^tr(E,|a)|0)(0|(a|Et) (H) 



which proves the theorem. □ 



5 Some Example Quantum Ciphers 

In this section, we suggest a general method for designing quantum ciphers that 
can do better in terms of Shannon key-uncertainty than any classical cipher 
with the same parameters. The properties of our ciphers are analyzed in the 
next section. 

The first example is extremely simple: 

Definition 3. The cipher is an (n + l,n)-quantum cipher. Given message 
6i, 621 ■ • ■ J o-'f^d key c, /ci, . . . , fc„, it outputs the following n q-bit state as ci- 
phertext: 

(H^^YiX''' (g) Xf"^ (g> . . . (g> X''- \b1b2 . . . (12) 

where X is the bit-flip operator and H is the Hadamard transform. That is, we 
use the last n bits of key as a one-time pad, and the first key bit determines 
whether or not we do a Hadamard transform on all n resulting q-bits. 



Decryption is trivial by observing that the operator {X''^ (X) X''^ (E) ■ ■ ■ ® 
is the inverse of the encryption operator. It is also easy to see that 
the data hiding property is satisfied: if c, /ci, . . . , fc„ arc uniformly random, then 
the encryption of any message produces the complete mixture (in fact this would 
be the case, already if only fci , . . . , A:„ were uniformly random) . 

This cipher can be described from a more general point of view: let B = 
{Bq, . . . , i?2t-i} be a set of 2* orthonormal bases for the Hilbert space of dimen- 
sion 2". We require that the bases do not overlap, i.e., no unit vector occurs in 
more than one basis. For instance B could consist of the computational basis and 
the diagonal basis (i.e. {iJ®"|a;)|a; € {0,1}"}). Let Ui be the unitary operator 
that performs a basis shift from the computational basis to the basis Bi. Finally, 
let [/ci, . . . , kt] be the number with binary representation fci, . . . , fcj. Then wc can 
define an (n + t, n)-ciphcr Cg which on input a key ci, . . . , Cj, fci, . . . , and a 
plaintext &i, . . . , 6„ outputs 



The i?„-cipher above is a special case with Uq = Id, Ui = iJ®". Using arguments 
similar to the above, it is easy to see that 

Lemma 2. For any set of orthonormal non- overlapping bases B, is a quan- 
tum cipher satisfying the data hiding and unique decryption properties. 

The lemma holds even if B contains only the computational basis, in which 
case Cb is equivalent to the classical one-time pad. The point of having several 
bases is that if they are well chosen, this may create additional confusion for the 
adversary, so that he will not learn full information on the key, even knowing 
the plaintext. We shall see this below. 

For now, we note that Wootters and Fields have shown that in a Hilbert 
space of dimension 2", there exists 2" -|- 1 orthonormal bases that are mutually 
unbiased, i.e., the inner product between any pair of vectors from different bases 
has norm 2~"/^. Using, say, the first 2" of these bases, we get immediately from 
the construction above a (2n, n) cipher: 

Definition 4. The Wn-cipher is the cipher obtained from the above con- 
struction when B is the set of 2" mutually unbiased bases obtained from [9]. 

5.1 Efficient Encoding/Decoding 

In this section we look at how to implement Wn efficiently. In [9] , a construction 
for 2" -I- 1 mutually unbiased bases in the space of n qubits is given. In the 
following, we denote by Vg ' with s, r G {0, 1}" the s-th vector in the r-th 
mutually unbiased basis. We write Vg in the computational basis as. 




^{X^' ®X^^ ® ...®X''"\bib2...bn)). 



(13) 




(14) 



ie{o,i} 



where J^l \ i^s'^)l\'^ = 1- Wootters and Field[9] have shown that 2" mutuahy 
unbiased bases are obtained whenever 

for a a vector of n matrices each of dimensions n x n with elements in {0, 1}. 
The arithmetic in the exponent of i should be carried out over the integers (or 
equivalently mod 4). The elements of a are defined by 

n 

f^fo = E (16) 

771—1 

where is a basis for GF{2^) when seen as a vector space. Therefore, a 

can be computed on a classical computer (and on a quantum one) in 0{n^). 

Let c = ci , . . . , c„ and fc = /ci , . . . , fc„ be the 2n bits of key with c defining one 
out of 2" mutually unbiased basis and k defining the key for the one-time-pad 
encoding. The circuit for encrypting classical message a starts by computing: 

l^fc^ =iy®"X®'=|a) =i7®"|a®fc) = 2-"/2^(-l)('^®'^')-^|0. (17) 

I 

The state (17) differs from (14) only with respect to the phase factor i C" **)' 
in front of each \l) with r = c. Transforming (17) into (14) (i.e. that is trans- 
forming iV'a) l^ki^a)) easily be achieved using a few controlled operations 
as described in App. A. The complexity of the quantum encryption circuit is 
0{n'^) out of which only O(n^) are quantum gates. The decryption circuit is the 
same as for the encryption except that it is run in reverse order. A similar en- 
cryption/decryption circuit can easily be implemented for any Cg-cipher where 
;B is a set of mutually unbiased bases. 

6 Optimal measurements w.r.t. Shannon Entropy 

Our ultimate goal is to estimate the Shannon key-uncertainty of an (m, n)- 
quantum cipher, i.e., the amount of entropy that remains on the key after making 
an optimal measurement on a ciphertext where the plaintext is given. But actu- 
ally, this scenario is quite general and not tied to the cryptographic application: 
what we want to answer is: given a (pure) state chosen uniformly from a given 
set of states, how much Shannon entropy must (at least) remain on the choice 
of state after having made a measurement that is optimal w.r.t. minimizing the 
entropy? 

So what we should consider is the following experiment: choose a key fc € /C 
uniformly. Encrypt a given plaintext p under key k to get state \ck) (we assume 
here for simplicity that this is a pure state). Perform some measurement (that 



may depend on p) and get outcome u. Letting random variables K, U correspond 
to the choices of key and outcome, we want to estimate 



H{K\U) = ^ Pr{U = u)H{K\U ^ u). (18) 

u 

Now, H(K\U = u) is simply the Shannon entropy of the probability distribution 
{Pr{K = k\U = u)\k G JC}. By the standard formula for conditional probabili- 
ties, we have 

PriK = k\U^u)^ PriU^u\K = k)PriK = k)^ 

Pr[U = u) 

Note that neither Pr{U = u), nor Pr{K ~ k) depend on the particular value of 
k (since keys are chosen uniformly). 

The measurement in question can be modeled as a POVM, which without loss 
of generality can be assumed to contain only elements of the form au\u){u\, i.e., 
a constant times a projection determined by a unit vector \u). This is because 
the elements of any POVM can be split in a sum of scaled projections, leading 
to a measurement with more outcomes which cannot yield less information than 
the original one. It follows immediately that 

Pr{U = u\K = fc) = |a„n(«|cfc)|2. (20) 

Note that also the factor |a„p does not depend on k. Then by (19) and (20), we 
get 

leK ^ ' leK 

Which means that we have 

In other words, H{K\U = u) can be computed as follows: compute the set of 
values {|(M|cfc)p|fc G /C}, multiply by a normalization factor so that the resulting 
probabilities sum to 1, and compute the entropy of the distribution obtained. 
We call the resulting entropy H[\u)^ Sk], where Sk is the set of states that may 
occur {|cA;)|fc G /C}. This is to emphasize that H[\u),Sk\ can be computed only 
from \u) and Sk, we do not need any information about other elements in the 
measurement. From (18) and H{K\U = u) = S'/<-] follows immediately 

Lemma 3. With notation as above, we have: 

H{K\U) > min\^){H[\u),SK]}, (23) 

where \u) runs over all unit vectors in the space we work in. 

This bound is not necessarily tight, but it will be, exactly if it is possible to 
construct a POVM consisting only of (scaled) projections au\u){u\, that minimize 
H[\u), Sk]- In general, it may not be easy to solve the minimization problem 
suggested by the lemma, particularly if Sk is large and lives in many dimensions. 
But in some cases, the problem is tractable, as we shall see. 



7 The Shannon Key-Uncertainty of Quantum Ciphers 



In this section, we study the cipher Cg constructed from a set of 2* orthonormal 
bases B as defined in Sect. 5. For this, we first need a detour: each basis in our 
set defines a projective measurement. Measuring a state \u) in basis Bi £ B 
produces a result, whose probabiUty distribution depends on \u) and Bi. Let 
H[\u),Bi] be the entropy of this distribution. We define the Minimal Entropy 
Sum (MES) of B as follows: 



where \u) runs over all unit vectors in our space. Lower bounds on the minimal 
entropy sum for particular choices of B have been studied in several papers, 
under the name of entropic uncertainty relations [6,8,4]. This is motivated by 
the fact that if the sum is large, then it is impossible to simultaneously have 
small entropy on the results of all involved measurements. One can think of this 
as a "modern" version of Hciscnbcrg's uncertainty relations. It turns out that 
the key uncertainty of is directly linked to MES{B): 

Lemma 4. The Shannon key uncertainty of the cipher Cjs (with 2* bases) is at 
least MES{B)/2* + t. 

Proof. We may use Lemma 3, where the set of states Sk ui our case consists of 
all basis states belonging to any of the bases in B. To compute H[\u),Sk], we 
need to consider the inner products of unit vector \u) with all vectors in Sk- In 
our case, this is simply the coordinates of \u) in each of the 2* bases, so clearly 
the norm squares of the inner products sum to 2*. Let Zij be the i'th vector in 
the j'th basis from B. We have. 




(24) 



i=0 



2*-l 2"-l 



H[\u),Sk]=Y1 E ^l("l%>Plog(2*|(u|z.,)r2) 




= E E ^\{u\z.j)\'logi\{u\z,,)\-')+Y, ^l("l%)l'log(2*) 





= ^E E \{u\z^,)\'log{\{u\z,,)r)+t-Y, Yl 




= ^ E H[W)^B,]+t> -MES{B)+t. 

(25) 



The lemma follows. 



□ 



We warn the reader against confusion about the role of \u) and B at this point. 
When we estimate the key uncertainty of Cg, we are analyzing a POVM, where 
\u) is one of the unit vectors defining the POVM. But when we do the proof of 
the above lemma and use the entities H[\u) , Bj], we think instead of \u) as the 
vector being measured according to basis Bj. There is no contradiction, however, 
since what matters in both cases is the inner products of \u) with the vectors 
in the bases in B. Wc arc now in a position to give results for our two concrete 
ciphers iJ„ and Wn defined earlier. 

Theorem 2. The Hn-cipher has Shannon key-uncertainty n/2 + 1 bits. 

Proof. The main result of [6] states that when ;S is a set of two mutually unbiased 
bases in a Hilbert space of dimension 2" then MES{B) > n. Using Lemma 4, 
it follows that has Shannon key-uncertainty at least n/2 + 1. Moreover, 
there exists measurements (i.e. for example the Von Neumann measurement in 
either the rectilinear or Hadamard basis) achieving n/2 + 1 bit of Shannon key- 
uncertainty. The result follows. □ 

For the case of Wn, we can use a result by Larsen[4]. He considers the proba- 
bility distributions induced by measuring a state \u) in iV + 1 mutually unbiased 
bases, for a space of dimension N. Let the set of bases be Bi, . . . , and 
let 7r|i(^ j be the collision probability for the i'th distribution, i.e., the sum of the 
squares of all probabilities in the distribution. Then Larsen's result (actually a 
special case of it) says that 

JV+l 

E^I-).»=2 (26) 

1=1 

In our case, N = 2". However, to apply this to our cipher Wn, we would like to 
look at a set of only 2" bases and we want a bound on the sum of the entropies 
H[\u),Bi] and not the sum of the collision probabilities. This can be solved 
following a line of arguments from Sanchez-Ruiz [8]. Using Jensen's inequality, 
we obtain the following: 

N N 

Y^H[\u),B,] > - ^log7r|„),. 



\ «=i / (27) 



Together with Lemma 4, we get: 

Theorem 3. The Wn-cipher has Shannon key-uncertainty greater than 2n — 1 
bits. 



Unlike for i7„ (i.e. Theorem 2), Theorem 3 only provides a lower bound for the 
key uncertainty of Wn ■ 

Let B be any set of 2* mutually unbiased bases living in a Hilbert space of 
dimension 2". The largest value we could hope for MES{B) is (2* — l)n bits, since 
this value is exactly matched when the state measured is a state that belongs 
to a basis in B. It is natural to define Z\(n,t) as the distance between MES{B) 
and the the maximum possible value: 

A{n, t) ^ (2* - l)n - MES{B). 

Given what we know already, it seems reasonable to conjecture that A{n, t) 
is, in some sense, small: we know that Z\(n, 1) = and also that Zi(n, n) < 
(2" — l)n — 2"(n — 1) = 2" — n. Let us consider the following conjecture: 

Conjecture 1. For any set B containing 2" mutually unbiased bases in a Hilbert 
space of dimension 2", it holds that G o(l) (i.e. note that we know the 

fraction is strictly smaller than 1). 

In this case, we easily conclude that cipher Wn has almost full Shannon key- 
uncertainty: 

Lemma 5. Under Conjecture 1, Wn has Shannon key-uncertainty at least 2n — 
o(l) bits. 

Proof. From Lemma 4, the Shannon key-uncertainty of Wn is at least n + 
MES{B)/2". Conjecture 1 leads to MES{B)/T^ = ((2" - l)n - Z\(n, n))/2" = 
n — o(l). The result follows. □ 

The Hn and W„-ciphers represent two extremes, using the minimal non- 
trivial number of bases, respectively as many of the known mutually unbiased 
bases as we can address with an integral number of key bits. It is not hard to 
define example ciphers that are "in between" and prove results on their key- 
uncertainty using the same techniques as for Wn- However, what can be derived 
from Larsen's result using the above line of argument (i.e. Equation 27) becomes 
weaker as one considers a smaller number of bases. 

8 Composing Ciphers 

What happens to the key uncertainty if we use a quantum cipher twice to en- 
crypt two plaintext blocks, using independently chosen keys? Intuition based on 
classical behavior suggests that the key uncertainty should now be twice that 
of a single application of the cipher, since the keys are independent. But in the 
quantum case, this requires proof: the adversary will be measuring a product 
state composed of of two ciphertext blocks. If the adversary was to measure 
each block individually then clearly the key uncertainty would be twice the key 
uncertainty of a single block. However, coherent measurements involving both 
blocks simultaneously may provide more information on the key than what is 
achievable by measuring the blocks individually. 



In the following, we consider composition of the cipher Cg with itself, where 
B consists of 2* bases for a space of dimension 2". This is a {2{t + n), 2n)-cipher 
which we call Cg. Say B consists of the bases B = {Bq, -B2'-i}- Let us 
consider the tensor product of two Hilbert spaces of dimension 2" each. Then 
Bi (X) Bj denotes the basis of this tensor product space that one obtains by taking 
all pairwise tensor products of the 2" basis vectors in each of Bi and Bj. We 
will let B ^ B denote the set of all 2^' bases that can be formed this way. Since 
each such basis consists of 2^" basis vectors, B ® B can also be thought of as a 
collection of 2^*+^" pure states. 

On the adversary's point of view, determining the two t + n-bit keys from two 
ciphertext blocks is equivalent to the following experiment: choose uniformly a 
state inB®B, now the adversary wants to make a measurement that minimizes 
the uncertainty about the state that was picked. 

To study this question, we split B®B in subsets: let Bi be the set of 2* bases 
defined by 

B,^{B,®Bj+, „od2*|j = 0,l,...,2*-l} (28) 

It is now easy to see that B®B is the disjoint union of the Si's, for i = 0, 1, 2* — 
1. 

Now, the choice of a state \iv B ® B can be rephrased as follows: choose 
i uniformly from [0..2* — 1], and then choose a state uniformly from Bi. Let 
/, J be random variables representing these choices, and let U be the random 
variable representing the adversary's measurement result. Standard properties 
of Shannon entropy give: 

H{I, J\ U) = H{I\ U) + H{J\ /, U). 

It is straightforward to see that a uniform mixture over all 2*"'"^" states in 
Bi is in fact the complete mixture, and so has the same density matrix for any 
i, hence no measurement can reveal information on / and we have H[I\ U) = t. 
We define M2{B) = mini{MES{Bi)}. Then, using exactly the same line of 
argument as for Lemma 4, one finds that for each particular value of i, we have 
H{J\ I = i,U)> t+MES{Bi)/2* and hence if (J| /, U) > t+M2{B)/2K Putting 
things together gives. 

Lemma 6. Cg has Shannon key-uncertainty at least 2t + Al2{B)/2'^ . 

Considering composition of Cg v times with itself, denoted Cg, the techniques 
above extend in a straightforward way. In particular, we end up defining a min- 
imum My(B) over entropy sums for a generalization of the S^'s. This leads to. 

Lemma 7. Cg has Shannon key-uncertainty at least vt + My{B)/2* . 

Note that by the construction defined in (28), each Bi is a set of mutually 
unbiased bases, and this holds also for any of the w-wise generalizations. In the 
special case of i?„, we have t = 1, and each Bi (as well as its i;-wise generalization) 
contains 2 mutually unbiased bases. Lemma 7 together with the result of [6] (i.e. 
which in our notation reads My{B) — vn) immediately implies. 



Theorem 4. The cipher has Shannon key uncertainty v{n/2 + 1) bits. 

We do not know of any strong results on the minimal entropy sum for any 
set of mutually unbiased bases except when its cardinality is 2 [6] or is close to 
the dimension of the space[4, 8]. Therefore, we cannot prove a good lower bound 
on the Shannon key-uncertainty for the composition of Wn- Already for W^, 
we need to consider a set of 2" mutually unbiased bases living in a space of 
dimension 2^". Using the notation of the previous section, wc need to bound 
Z\(2n, n), or more generally A{vn, n). 

While A(vn,n) = may be too much to hope for, it seems reasonable to 
conjecture a result similar to the one we know for A{n,n): 

Conjecture 2. For any set B of 2" mutually unbiased bases living in a Hilbert 
space of dimension 2'"", it holds that A(vn,n) < 2" — vn. 

We then have. 

Lemma 8. Under Conjecture 2, has Shannon key-uncertainty at least 2vn— 
1 bits. 

9 Application to Stream-Ciphers 

We can use the quantum ciphers we just described to build a (computationally 
secure) quantum stream-cipher using a short key K of length independent from 
the message length. In fact, any (m,n)-cipher and classical pseudorandom gen- 
erator can be used: we seed the generator with key K, and use its output as a 
keystream. To encrypt, we simply take the next m bits from the keystream and 
use these as key in the cipher to encrypt the next n bits of the plaintext. 

Since an (m, n)-cipher has perfect security, this construction would have per- 
fect security as well if the keystream was genuinely random. By a standard 
reduction, this implies that breaking it is at least as hard as distinguishing the 
output of the generator from a truly random string. 

All this is true whether we use a classical or an (m, n)-quantum cipher. How- 
ever, by our results on Shannon key-uncertainty, the adversary is in a potentially 
much harder situation in the quantum case. For intuition on this, we refer to the 
discussion in the introduction. As a more concrete illustration, we consider the 
following scenario: 

1. We have a pseudorandom generator G, expanding a fc-bit seed K into an 
iV-bit sequence G{K). Furthermore, any subset containing at most e bits 
of G{K) is uniformly random. Finally, no polynomial time (in k) classical 
algorithm can with non-negligible advantage distinguish G{K) from a truly 
random sequence when given any piece of data that is generated from G{K) 
and contains at most t bits of Shannon information on G{K). Both e and t 
are assumed to be polynomial in k. 

2. Coherent measurements simultaneously involving fi qubits or more are not 
possible to implement in practice. However, technology has advanced so that 
the W„-cipher can be implemented for some n « jjL. 



3. We will consider an adversary that first obtains some amount of known plain- 
text. Given the plaintext, he decides on a number of complete measurements 
that he executes on parts of the ciphertext (under the constraints of assump- 
tion 2). For simplicity we assume that each measurement involves an integral 
number of n-bit ciphertext blocks.^ Finally he executes any polynomial time 
classical algorithm to analyze the results. 

The first assumption can be justified using a result by Maurer and Massey [5] on 
locally random pseudorandom generators. Their result asserts that there exists 
pseudorandom generators satisfying the assumption that any e bits are genuinely 
random, provided e < fc/log2-/V. Their generators may not behave well against 
attacks having access to more than e bits of the sequence, but one can always 
xor the output from their generator with the output of a more conventional one 
using an independent key. This will preserve the local randomness. 

Note that the size of k does not influence the size of the quantum computer 
required for the honest party to encrypt or decrypt. The third assumption es- 
sentially says that we do not expect that results of (incomplete) measurements 
obtained on one part of the ciphertext will help significantly in designing mea- 
surements on other parts. This is justified, as long as not too many measurements 
are performed: as long as results from previous measurements contain less than t 
bits of information on the keystream, then by assumption 1, these results might 
(from the adversary's point of view) as well have been generated from measuring 
a random source, and so they do not help in designing the next measurement. 
This assumption can therefore be dropped in a more careful analysis since it 
esssentially follows from assumptions 1 and 2. For simplicity, we choose to make 
it explicit. 

Lemma 9. Assume we apply the Wn- cipher for stream encryption using a pseu- 
dorandom generator and with an adversary as defined by assumptions 1,2, and 
3 above. Suppose we choose e = 2/i and k > 2filog2 N . Then, assuming Con- 
jecture 2, the adversary will need to obtain tn bits of known plaintext, in order 
to distinguish the case of a real encryption from the case where the keystream is 
random. 

Proof. Assume the PRG satisfies assumption 1 which is possible since k > 
e\og2N. By assumption 2, any attack that measures several blocks of cipher- 
text in one coherent measurement can handle at most fi = e/2 qubits at any 
one time. By construction, this ciphertext was created using less than e bits 
of the keystream, which is random by assumption 1. Therefore, the measure- 
ment will give the same result as when attacking the composition Wn^" since 
the measurement involves v < fi qubits (since different blocks of the keystream 
are independent if the stream is truly random) and by assumption 3. Hence, by 
Lemma 8 and under Conjecture 2, the adversary learns less than 1 bit of infor- 
mation on the key stream from each measurement. Now, if the adversary has 

^ This assumption can be dropped so that we can still prove Lemma 9 using a more 
complicated argument and provided the local randomness of the generator is ex- 
panded from e to n^e 



T bits of known plaintext, and hence measures T ciphertext bits, the maximal 
number of measurements that can take place is T /n so he needs to have T/n > t 
in order for the classical distinguisher to work, by assumption 1. The lemma 
follows. □ 

This lemma essentially says that for a generator with the right properties, and for 
an adversary constrained as we have assumed, quantum communication allows 
using the generator securely to encrypt tn bits, rather than the t bits we would 
have in the classical case. Depending on how close the actual key uncertainty of 
compositions of Wn is to the maximal value, the number of required plaintext 
bits can be much larger. The best we can hope for would be if A{vn, n) = for 
all n, V, in which case the adversary would need plaintext bits. 

A similar result can be shown without assuming any conjecture for the iJ„ 
cipher. In this case, we gain essentially a factor 2 in plaintext size over the 
classical case. 

Of course, these results do not allow to handle adversaries as general as we 
would like, our constraints are different from just assuming the adversary is 
quantum polynomial time. Nevertheless, we believe that the scenario we have 
described can be reasonable with technology available in the foreseeable future. 
Moreover, it seems to us that quantum communication should help even for 
more general adversaries and generators. Quantifying this advantage is an open 
problem. 



10 Conclusion and Open Problems 



We have seen that, despite the fact that quantum communication cannot help to 
provide perfect security with shorter keys when only one-way communication is 
used, there are fundamental differences between classical and quantum ciphers 
with perfect security, in particular the Shannon key uncertainty can be much 
larger in the quantum case. However, the min-entropy key-uncertainty is the 
same in the two cases. It is an open question whether encryption performed 
by general quantum operations allows for quantum ciphers to have more min- 
entropy key-uncertainty than classical ones. 

We have also seen an application of the results on Shannon key uncertainty 
to some example quantum ciphers that could be used to construct a quantum 
stream-cipher where, under a known plaintext attack, a resource-bounded ad- 
versary would be in a potentially much worse situation than with any classical 
stream-cipher with the same parameters. 

For the ciphers we presented, the Shannon key-uncertainty is known exactly 
for the i?„-cipher but not for the W„-cipher. It is an interesting open question 
to determine it. More generally, are Conjectures 1 and 2 true? 
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A Encryption Circuit for the W„-Cipher 

The circuit depicted in Fig. 2 implements the encryption of any plaintext a = 
ai,...,a„ € {0,1}" according the secret key (c, fc) G {0,1}^". It uses three 
sub-circuits (1), (2), and (3) as defined in Fig. 1. 

A, given c and a, produces the matrix c- a in the register denoted A. Notice 
that circuit ^ is a classical circuit. It can be implemented with 0{n^) classical 
gates. The sub-circuit (2) accepts as input a = c ■ a together with I, computes 
d = l^al G [0, ... ,3], and stores the result in a 2-qubit register /. In (3), an 
overall phase factor i'^ is computed in front of the computational basis element \l) . 
The last gates allow to reset registers / and A making sure registers containing 
the encrypted data are separable from the other registers. It is straightforward 
to verify that registers initially in state |ai) (g) . . .(8) !««) ends up in state |w[.'g^a) as 
required. The overall complexity is O(n^) quantum gates since (3) requires only 
O(n^) CNOt's which is of the same complexity as super-gate (2). In conclusion, 
the total numbers of gates is 0{n^) out of which 0{n^) are quantum. 
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Fig. 1. Sub-circuits to tiie encryption circuit of Fig. 2. 
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Fig. 2. Encoding circuit for cipher W„ 



